You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Dejan <db...@gmail.com> on 2008/09/29 10:26:06 UTC
Symmetric binding with shared secret. How?
Hi,
When the client and service already has a shared key, can I use that to sign
and encrypt? Do I still need client.properties and how to define this in the
policy.xml in that case. Where should I store the shared secret?
Is there any client sample that does this. I check sample09 from rampart
installation but I its not clear to me howto use
<EmbeddedKeyName>SessionKey</EmbeddedKeyName>.
*Any help is much appreciated* !
Re: Symmetric binding with shared secret. How?
Posted by Dejan <db...@gmail.com>.
Here is example of service request/response (implemented using the Sun Metro
and XWSS implementation):
SOAP REQUEST:
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
SOAP-ENV:mustUnderstand="1">
<wsu:Timestamp
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="XWSSGID-1222762354020-286584283">
<wsu:Created>2008-09-30T08:12:33.848Z</wsu:Created>
<wsu:Expires>2008-09-30T08:17:33.848Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="XWSSGID-1222762353584894200328">
<wsse:Username>xxx</wsse:Username>
<wsse:Password
Type="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">
****</wsse:Password>
<wsse:Nonce
EncodingType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
lvRbjXGZuiV4P4gY6p1twUHD</wsse:Nonce>
<wsu:Created>2008-09-30T08:12:33.848Z</wsu:Created>
</wsse:UsernameToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="XWSSGID-12227623535842138156232">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces xmlns="
http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="wsse SOAP-ENV"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<ds:Reference URI="#XWSSGID-1222762354020-1855599201">
<ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>CHxSJnfhMGMTC3GtOW3pYejzZrU=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#XWSSGID-1222762354020-286584283">
<ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>XtblRdAi8x2sw8h/Q5rXrKJokA0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>1n/iMLjPxlIJMH5af0f83TfO9zc=</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyName>xxx</ds:KeyName>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="XWSSGID-1222762354020-1855599201">
---------
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
SOAP RESPONSE:
<?xml version="1.0" encoding="UTF-8"?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Header>
<wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
S:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="XWSSGID-1222762114860-553388788">
<wsu:Created>2008-09-30T08:08:34.813Z</wsu:Created>
<wsu:Expires>2008-09-30T08:13:34.813Z</wsu:Expires>
</wsu:Timestamp>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="XWSSGID-12227608541211917696533">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces xmlns="
http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse S"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<ds:Reference URI="#XWSSGID-1222762114844-1694795497">
<ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>kPnbG8DMwnvBzHUgqdfPTBj0Xh0=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#XWSSGID-1222762114860-553388788">
<ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ZbhiCs3bpfTnG4usLqVKP+67J48=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>6qawpn6zhmXQi+QA/Q9jMjO/fNY=</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyName>xxx</ds:KeyName>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="XWSSGID-1222762114844-1694795497">
-------
</S:Body>
</S:Envelope>
*Your help is much appreciated* !!!
Many Thanks,
Dejan
2008/9/29 Ruchith Fernando <ru...@gmail.com>
> I don't think your scenario is directly supported by Rampart (either
> with 1.0 config or policy based config) ...
>
> But if you use WSS4J directly the way Rampart uses it then you
> probably should be able to do this.
>
> Do you have any sample messages or the policy of the service?
>
> Thanks,
> Ruchith
>
> On Mon, Sep 29, 2008 at 2:29 PM, Dejan <db...@gmail.com> wrote:
> > I'm trying to use Rampart to encrypt my message body using a symmetric
> > secret key. Sample 9, included with the Rampart distribution, does just
> > this. The actual key is hard-coded in a callback function. My
> understanding
> > is that the key (EmbededKeyName) is the only piece of data needed to
> encode
> > the message. Please correct me if I am wrong.
> >
> > I was wondering why this part of the client config file:
> >
> > <action>
> > <items>Encrypt</items>
> > <user>client</user>
> > <encryptionKeyIdentifier>EmbeddedKeyName</encryptionKeyIdentifier>
> >
> <EmbeddedKeyCallbackClass>org.apache.rampart.samples.sample09.PWCBHandler</EmbeddedKeyCallbackClass>
> > <encryptionPropFile>client.properties</encryptionPropFile>
> > <EmbeddedKeyName>SessionKey</EmbeddedKeyName>
> > </action>
> >
> > contains the encryptionPropFile property.
> > Why do we need client.properties in this case. I do not understand why
> does
> > Rampart need the keystore in this case? I'm not using public/private keys
> or
> > certificates, just one secret key.
> >
> > The service side security is implemented using the SUN Metro and XWSS
> > implementation. From WS provider I got for my client the
> username/password,
> > client shared secret to encrypt and service shared secret to decrypt. The
> > symmetric keys is computed during runtime programmatically, generating
> for a
> > given sharedsecret an AES256 Key and using the
> > Decryption/EncryptionKeyCallback.
> >
> > My problem is to translate this using the Rampart and WSS4J
> implementation.
> > Is this scenario supported in Ramapart? If so can you point me in right
> > direction?
> >
> >
> > Thanks in advance,
> > Dejan
> >
> > 2008/9/29 Ruchith Fernando <ru...@gmail.com>
> >
> >> There were some discussions on the WS-SX TC about this :
> >>
> >> Please see the following :
> >>
> >> http://lists.oasis-open.org/archives/ws-sx/200801/msg00011.html
> >>
> >> The issue # is 163 :
> >>
> >> http://lists.oasis-open.org/archives/ws-sx/200802/msg00014.html
> >>
> >> I think we can improve rampart to support this scenario.
> >> Nandana can you please confirm whether this is already available?
> >>
> >> Thanks,
> >> Ruchith
> >>
> >>
> >> On Mon, Sep 29, 2008 at 4:26 AM, Dejan <db...@gmail.com> wrote:
> >> > Hi,
> >> >
> >> > When the client and service already has a shared key, can I use that
> to
> >> sign
> >> > and encrypt? Do I still need client.properties and how to define this
> in
> >> the
> >> > policy.xml in that case. Where should I store the shared secret?
> >> > Is there any client sample that does this. I check sample09 from
> rampart
> >> > installation but I its not clear to me howto use
> >> > <EmbeddedKeyName>SessionKey</EmbeddedKeyName>.
> >> >
> >> > *Any help is much appreciated* !
> >> >
> >>
> >>
> >>
> >> --
> >> http://blog.ruchith.org
> >>
> >
>
>
>
> --
> http://blog.ruchith.org
>
Re: Symmetric binding with shared secret. How?
Posted by Ruchith Fernando <ru...@gmail.com>.
I don't think your scenario is directly supported by Rampart (either
with 1.0 config or policy based config) ...
But if you use WSS4J directly the way Rampart uses it then you
probably should be able to do this.
Do you have any sample messages or the policy of the service?
Thanks,
Ruchith
On Mon, Sep 29, 2008 at 2:29 PM, Dejan <db...@gmail.com> wrote:
> I'm trying to use Rampart to encrypt my message body using a symmetric
> secret key. Sample 9, included with the Rampart distribution, does just
> this. The actual key is hard-coded in a callback function. My understanding
> is that the key (EmbededKeyName) is the only piece of data needed to encode
> the message. Please correct me if I am wrong.
>
> I was wondering why this part of the client config file:
>
> <action>
> <items>Encrypt</items>
> <user>client</user>
> <encryptionKeyIdentifier>EmbeddedKeyName</encryptionKeyIdentifier>
> <EmbeddedKeyCallbackClass>org.apache.rampart.samples.sample09.PWCBHandler</EmbeddedKeyCallbackClass>
> <encryptionPropFile>client.properties</encryptionPropFile>
> <EmbeddedKeyName>SessionKey</EmbeddedKeyName>
> </action>
>
> contains the encryptionPropFile property.
> Why do we need client.properties in this case. I do not understand why does
> Rampart need the keystore in this case? I'm not using public/private keys or
> certificates, just one secret key.
>
> The service side security is implemented using the SUN Metro and XWSS
> implementation. From WS provider I got for my client the username/password,
> client shared secret to encrypt and service shared secret to decrypt. The
> symmetric keys is computed during runtime programmatically, generating for a
> given sharedsecret an AES256 Key and using the
> Decryption/EncryptionKeyCallback.
>
> My problem is to translate this using the Rampart and WSS4J implementation.
> Is this scenario supported in Ramapart? If so can you point me in right
> direction?
>
>
> Thanks in advance,
> Dejan
>
> 2008/9/29 Ruchith Fernando <ru...@gmail.com>
>
>> There were some discussions on the WS-SX TC about this :
>>
>> Please see the following :
>>
>> http://lists.oasis-open.org/archives/ws-sx/200801/msg00011.html
>>
>> The issue # is 163 :
>>
>> http://lists.oasis-open.org/archives/ws-sx/200802/msg00014.html
>>
>> I think we can improve rampart to support this scenario.
>> Nandana can you please confirm whether this is already available?
>>
>> Thanks,
>> Ruchith
>>
>>
>> On Mon, Sep 29, 2008 at 4:26 AM, Dejan <db...@gmail.com> wrote:
>> > Hi,
>> >
>> > When the client and service already has a shared key, can I use that to
>> sign
>> > and encrypt? Do I still need client.properties and how to define this in
>> the
>> > policy.xml in that case. Where should I store the shared secret?
>> > Is there any client sample that does this. I check sample09 from rampart
>> > installation but I its not clear to me howto use
>> > <EmbeddedKeyName>SessionKey</EmbeddedKeyName>.
>> >
>> > *Any help is much appreciated* !
>> >
>>
>>
>>
>> --
>> http://blog.ruchith.org
>>
>
--
http://blog.ruchith.org
Re: Symmetric binding with shared secret. How?
Posted by Dejan <db...@gmail.com>.
I'm trying to use Rampart to encrypt my message body using a symmetric
secret key. Sample 9, included with the Rampart distribution, does just
this. The actual key is hard-coded in a callback function. My understanding
is that the key (EmbededKeyName) is the only piece of data needed to encode
the message. Please correct me if I am wrong.
I was wondering why this part of the client config file:
<action>
<items>Encrypt</items>
<user>client</user>
<encryptionKeyIdentifier>EmbeddedKeyName</encryptionKeyIdentifier>
<EmbeddedKeyCallbackClass>org.apache.rampart.samples.sample09.PWCBHandler</EmbeddedKeyCallbackClass>
<encryptionPropFile>client.properties</encryptionPropFile>
<EmbeddedKeyName>SessionKey</EmbeddedKeyName>
</action>
contains the encryptionPropFile property.
Why do we need client.properties in this case. I do not understand why does
Rampart need the keystore in this case? I'm not using public/private keys or
certificates, just one secret key.
The service side security is implemented using the SUN Metro and XWSS
implementation. From WS provider I got for my client the username/password,
client shared secret to encrypt and service shared secret to decrypt. The
symmetric keys is computed during runtime programmatically, generating for a
given sharedsecret an AES256 Key and using the
Decryption/EncryptionKeyCallback.
My problem is to translate this using the Rampart and WSS4J implementation.
Is this scenario supported in Ramapart? If so can you point me in right
direction?
Thanks in advance,
Dejan
2008/9/29 Ruchith Fernando <ru...@gmail.com>
> There were some discussions on the WS-SX TC about this :
>
> Please see the following :
>
> http://lists.oasis-open.org/archives/ws-sx/200801/msg00011.html
>
> The issue # is 163 :
>
> http://lists.oasis-open.org/archives/ws-sx/200802/msg00014.html
>
> I think we can improve rampart to support this scenario.
> Nandana can you please confirm whether this is already available?
>
> Thanks,
> Ruchith
>
>
> On Mon, Sep 29, 2008 at 4:26 AM, Dejan <db...@gmail.com> wrote:
> > Hi,
> >
> > When the client and service already has a shared key, can I use that to
> sign
> > and encrypt? Do I still need client.properties and how to define this in
> the
> > policy.xml in that case. Where should I store the shared secret?
> > Is there any client sample that does this. I check sample09 from rampart
> > installation but I its not clear to me howto use
> > <EmbeddedKeyName>SessionKey</EmbeddedKeyName>.
> >
> > *Any help is much appreciated* !
> >
>
>
>
> --
> http://blog.ruchith.org
>
Re: Symmetric binding with shared secret. How?
Posted by Ruchith Fernando <ru...@gmail.com>.
There were some discussions on the WS-SX TC about this :
Please see the following :
http://lists.oasis-open.org/archives/ws-sx/200801/msg00011.html
The issue # is 163 :
http://lists.oasis-open.org/archives/ws-sx/200802/msg00014.html
I think we can improve rampart to support this scenario.
Nandana can you please confirm whether this is already available?
Thanks,
Ruchith
On Mon, Sep 29, 2008 at 4:26 AM, Dejan <db...@gmail.com> wrote:
> Hi,
>
> When the client and service already has a shared key, can I use that to sign
> and encrypt? Do I still need client.properties and how to define this in the
> policy.xml in that case. Where should I store the shared secret?
> Is there any client sample that does this. I check sample09 from rampart
> installation but I its not clear to me howto use
> <EmbeddedKeyName>SessionKey</EmbeddedKeyName>.
>
> *Any help is much appreciated* !
>
--
http://blog.ruchith.org